[package]
name = "boring"
version = { workspace = true }
authors = ["Steven Fackler <sfackler@gmail.com>", "Ivan Nikulin <ifaaan@gmail.com>"]
license = "Apache-2.0"
description = "BoringSSL bindings"
repository = { workspace = true }
documentation = "https://docs.rs/boring"
readme = "README.md"
keywords = ["crypto", "tls", "ssl", "dtls"]
categories = ["cryptography", "api-bindings"]
edition = { workspace = true }

[package.metadata.docs.rs]
features = ["rpk", "pq-experimental", "underscore-wildcards"]
rustdoc-args = ["--cfg", "docsrs"]

[features]
# Controlling the build

# Use a FIPS-validated version of boringssl.
fips = ["boring-sys/fips"]

# Link with precompiled FIPS-validated `bcm.o` module.
fips-link-precompiled = ["boring-sys/fips-link-precompiled"]

# Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
# This feature is necessary in order to compile the bindings for the
# default branch of boringSSL. Alternatively, a version of boringSSL that
# implements the same feature set can be provided by setting
# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
rpk = ["boring-sys/rpk"]

# Applies a patch to the boringSSL source code that enables support for PQ key
# exchange. This feature is necessary in order to compile the bindings for the
# default branch of boringSSL. Alternatively, a version of boringSSL that
# implements the same feature set can be provided by setting
# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
pq-experimental = ["boring-sys/pq-experimental"]

# Applies a patch to enable
# `ffi::X509_CHECK_FLAG_UNDERSCORE_WILDCARDS`. Same caveats as
# those for `pq-experimental` feature apply.
underscore-wildcards = ["boring-sys/underscore-wildcards"]

# Controlling key exchange preferences at compile time

# Choose key exchange preferences at compile time. This prevents the user from
# choosing their own preferences.
kx-safe-default = []

# Support PQ key exchange. The client will prefer classical key exchange, but
# will upgrade to PQ key exchange if requested by the server. This is the
# safest option if you don't know if the peer supports PQ key exchange. This
# feature implies "kx-safe-default".
kx-client-pq-supported = ["kx-safe-default"]

# Prefer PQ key exchange. The client will prefer PQ exchange, but fallback to
# classical key exchange if requested by the server. This is the best option if
# you know the peer supports PQ key exchange. This feature implies
# "kx-safe-default" and "kx-client-pq-supported".
kx-client-pq-preferred = ["kx-safe-default", "kx-client-pq-supported"]

# Disable key exchange involving non-NIST key exchange on the client side.
# Implies "kx-safe-default".
kx-client-nist-required = ["kx-safe-default"]

[dependencies]
bitflags = { workspace = true }
foreign-types = { workspace = true }
once_cell = { workspace = true }
libc = { workspace = true }
boring-sys = { workspace = true }

[dev-dependencies]
hex = { workspace = true }
rusty-hook = { workspace = true }
